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About this Guide 


This design guide is intended for technically-minded practitioners and provides 
illustrative examples of how organizations can simplify and strengthen 

their networking and security architecture with Cloudflare One, our SASE 
platform. Cloudflare One unifies network connectivity services with Zero Trust 
security services — all delivered on the Cloudflare global network. 


The first section of this design guide focuses on holistic transformation and 
modernization by illustrating all the possible connectivity and security elements 
aligned to inbound networking, outbound networking, and applications before vs. 
after Cloudflare. It compares the legacy centralized security perimeter approach 
relying on multi-vendor solutions to the Cloudflare global network approach that 
leverages one composable platform architecture. 


The next sections walk through common technical use cases — first, how that 
problem is typically solved with a legacy approach, and then, how Cloudflare One 
solves the same problem with greater efficiency and improved experience. 


Two use cases were prioritized based on their popularity among customers, 
but they by no means represent the full scope of Cloudflare One's capabilities. 


e Secure access for private and public web applications 
e DNS filtering for on-prem and remote employees 


We will continue to expand this guide with additional use cases, including secure 
access to private networks, advanced threat/data protection, and more. 
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Transformation: 
A Before vs. After Cloudflare Comparison 


CLOUDFLARE ONE DESIGN GUIDE 


Secure, fast, reliable, & private connectivity for any user 


Any user 


Organizations must enable secure, fast, reliable, and private 
connectivity for two groups of users. 


Managed users are employees accessing a resource with 
a corporate or personal device from home, the office, or 
anywhere in between. 


Unmanaged users include contractors or partners authorized 
to access a resource but also attackers who are not. 
Managed Users 


- Corporate devices 
- Personal devices 


- Remote homes 
- Branch offices 
- Anywhere 


Unmanaged Users 


- Contractors 
- Partners 
- Attackers 


Any resource 


Organizations must enable access management with 
threat and data protection for two groups of resources. 


Private resources include self-hosted apps and private 
IPs or hostnames within public clouds and on-prem data 
centers, plus IT-approved SaaS apps. 


Public resources on the Internet include unsanctioned 
SaaS apps and threats. 


Private Resources 


- Self-hosted apps 
- Private IP & hostnames 
- SaaS apps (IT-approved) 


| 


* Public clouds 
+ On-prem data centers 


Public Resources 
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* Internet 
- Threats 
- SaaS apps (shadow IT) 


Comparing connectivity & security before vs. after Cloudflare 


On the next six pages, a series of before vs. after 

diagrams incrementally layer details about all the possible 
connectivity and security elements your organization 
require for managed users accessing public resources and 
managed or unmanaged users accessing private resources. 


The first “before” diagram illustrates the endpoint 
compute and network appliances deployed ina 
centralized security perimeter. 


The second “after” diagram illustrates the comparable 
cloud services delivered via Cloudflare’s global network. 
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1a. Simplifying connectivity & security for public resources 
Before Cloudflare 


Centralized Security Perimeter 


ManagedlUsers —.-.-----------=--------====x 4 =a Soros E E —> Public Resources 
Lo 


i g Security 
Dev tools e.g. PuTTy client i Anti-virus scanner storage analytics 
i I 
Virtualization client i HTTP proxy IP traffic 
i I DNS traffic E 
DLP client i SSL inspection Yi E 
i I HTTP traffic ( A AN 
MDM posture client i DNS proxy/nameserver User context \\ = | j 
- | I AA 
HTTP/DNS proxy client External network firewall Device context at 
*First 5 elements F I I App context 
do not apply for VPN client SD-WAN (Internet, MPLS) 
personal devices | Data context 
= First instance of element ------ = Network traffic not routed/filtered through these elements 
Managed users (to public and private resources) Public resources 
IT teams had to manage many clients for connectivity Security teams relied on the VPN client or SD-WAN 
and security — or worse, they couldn't for personal to route traffic from remote or office users through 
devices. Dev tools and VPN for private access. the network firewall, DNS proxy, SSL inspection, 
HTTP/DNS proxy for public access. Virtualization, HTTP proxy, and anti-virus scanner appliances to 
DLP, and MDM for better protection. protect public resource access. 
After Cloudflare 
a. CLOUDFLARE Global Network including L3-7 Anycast Routing & Traffic Acceleration 
Managed Users Public Resources 
PETTEE — 
The network is the computer? | Composable SWG service | 
In-browser terminal 
(SSH, VNC & more) 
1 L4-7 forward proxy 
RBI service (with built-in CASB ao 
discovery & control) Built-in & 
unified cloud 
| 1 log storage 
& security 
Device client Recursive DNS service analytics for 
| | all services 
ZTNA service WAN as a service 
(w/ built-in CASB controls) (w/ built-in FW as a service) 
via Cloudflare onramps via Cloudflare onramps 
(clientless access, device client) (IP tunnel, direct connection) 
= First instance of element ------ = Network traffic not routed/filtered through these elements 
Managed users (to public and private resources) Public resources 
The network removes many functions from the computer Our composable SWG service inspects traffic in a single 
or one client consolidates many functions. pass before or after adopting our WAN as a service 


and/or ZTNA service with built-in security. 
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1b. Simplifying connectivity & security for public resources 


Before Cloudflare 


Managed Users 


*First 5 elements 
do not apply for 
personal devices 


=) = Additional endpoint 
compute required 


Centralized Security Perimeter 


+» Public Resources 


1 
1 
i k i-vi = Log Security 
Dev tools e.g. PuTTy client ! El © | Anti-virus scanner = 5 storage analytics 
1 
1 7 
Virtualization client : |Dleo HTTP proxy =| o IP traffic 
1 
| DNS traffi Z% 
i traffic - n 
a È 5 j S 
DLP client ' C |oo SSL inspection = eo : f "SN 
i I HTTP traffic / . A 
n 1 \ O | 
MDM posture client ! CJ joo DNS proxy/nameserver E| o TER \ E DE ) 
I | $ JA 
HTTP/DNS proxy client C jee External network firewall = oo Device context Fa 
l l App context 
VPN client =) SD-WAN (Internet, MPLS) SE joo 
Data context 
A = Additonal network ---- = Network traffic not routed/filtered 3 = First instance = Inbound ® = Outbound O = Application 
appliances required through these elements i of element networking networking 


After Cloudflare 


P CLOUDFLARE Global Network including L3-7 Anycast Routing & Traffic Acceleration 


Managed Users Public Resources 
Lb Sec cece cement — 
The network is the computer® Composable SWG service 
In-browser terminal ° 
(SSH, VNC & more) 
I L4-7 forward proxy 
RBI 7 ° (with built-in CASB o Fei 
SENVICE discovery & control) Built-in & 
unified cloud 
| I log storage 
& security 
Device client Q oo Recursive DNS service (o) analytics for 
| | all services 
ZTNA service WAN as a service 
(w/ built-in CASB controls) (w/ built-in FW as a service) A 
via Cloudflare onramps via Cloudflare onramps 
(clientless access, device client) (IP tunnel, direct connection) 
= Endpoint compute = Network appliance O = Cloudflare WARP i = First instance = Inbound () = Outbound [7 = Application ---- = Network traffic not 
shifts to the cloud shifts to the cloud removed endpoint of element networking 2 networking routed/filtered through 
these elements 
Cloud-native services Composable architecture 
Endpoint compute and network appliance requirements The inbound and outbound networking stacks are unified 


are reduced. 


with the application stack for end-to-end security 
and performance. 
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2a. Simplifying connectivity & security for private resources 
Before Cloudflare 


Centralized Security Perimeter 


Managed Users Private Resources 
CRC ae CR CEC © 
I Se) as ——= 
Log Security 
storage analytics 
Internal load balancer IP traffic 
DNS nameserver i Inti I network fi Il : : DNS traffic ss 
— internal network firewa _— o 
Unmanaged Users I I I I HTTP traffic E] 
Global load balancer VPN concentrator 
i 1 i i User context 
DDoS protection External network firewall Device context 
i) I I l 
Web application firewall SD-WAN (Internet, MPLS) App context 
| \ J | Data context 
= Second instance of element ------ = Network traffic not routed/filtered through these elements 
Unmanaged users Private resources (from managed & unmanaged users) 
Network teams had to manage publicly announcing Security teams relied on the VPN client or SD-WAN to 
availability of private resources to contractors and route traffic from users through network firewalls, VPN 
partners, and guard against DDoS or exploitation concentrators, and load balancers to secure private 
by attackers. resource access. 
After Cloudflare 
a CLOUDFLARE Global Network including L3-7 Anycast Routing and Traffic Acceleration 
Managed Users Private Resources 
È A a —> 
App connector 
—| IM 
ZTNA service 
(w/ built-in CASB controls) 
via Cloudflare onramps Built-in & 
(clientless access, device client) unified cloud 
Composable app & network services log storage am 
Unmanaged Users | | security = 
Authoritative DNS analytics for [et —- | 
—— 2 BGP announcement WAN as a service all services 
(w/ built-in DDoS protection) (w/ built-in FW as a service) 
I I via Cloudflare onramps 
WAAP (IP tunnel, direct connection) 
= Second instance of element ------ = Network traffic not routed/filtered through these elements 
Unmanaged users Private resources (from managed & unmanaged users) 
Our composable application and network services Our ZTNA service and/or WAN as a service with built-in 
eliminate this burden either before or after adopting our security simplifies access using our app connector. 


ZTNA service or WAN as a service with built-in security. 
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2b. Simplifying connectivity & security for private resources 


Before Cloudflare 


Centralized Security Perimeter 


Managed Users 


—— DNS nameserver 
Unmanaged Users 


Global load balancer 


DDoS protection 


OD = 00 = O0 = 00 


Web application firewall 


SA R) 


C = Additonal network 


---- = Network traffic not routed/filtered i 
I appliances required 


through these elements 


After Cloudflare 


= Second instance 
of element 


Private Resources 


MERE E MI ARR ok A Ay 
UE E E E I 5 
=] = 
e ses 
Log Security 
storage analytics 
Internal load balancer IP traffic 
- : DNS traffic = 
Internal network firewall 
] HTTP traffic Ex 


VPN concentrator 
User context 


External network firewall Device context 


007070700700 


SD-WAN (Internet, MPLS) App context 


Data context 


= Outbound 
networking 


= Inbound 


© = Application 
networking 


F_N CLOUDFLARE Global Network including L3-7 Anycast Routing and Traffic Acceleration 


Managed Users 


Unmanaged Users 


= Network appliance 
shifts to the cloud alli 


Cloud-native services 


Endpoint compute and network appliance requirements 


are reduced. 


Private Resources 
A y M mE 
App connector N 
= pie > 
ZTNA service 
(w/ built-in CASB controls) 
via Cloudflare onramps Built-in & 
(clientless access, device client) unified cloud 
Composable app & network services log storage E 
| | & security E 
Authoritative DNS analytics for e] 
& BGP announcement WAN as a service all services 
(w/ built-in DDoS protection) (w/ built-in FW as a service) re 
I I via Cloudflare onramps 
WAAP (IP tunnel, direct connection) 
Slz = Cloudflare Tunnel = First instance = Inbound ® = Outbound (0) = Application ---- = Network traffic not 
removed endpoint of element networking networking routed/filtered through 


these elements 


Composable architecture 


The inbound and outbound networking stacks are unified 
with the application stack for end-to-end security 
and performance. 
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Simplifying connectivity & security for any resource 


This view combines diagrams 1 and 2 together. 


Managed Users 


Unmanaged Users 


Managed Users 


Unmanaged Users 


After 


ds cLovorLare 


Dev tools e.g. PuTTy client 
Virtualization client 

DLP client 

MDM posture client 
HTTP/DNS proxy client 
VPN client 

External network firewall 
SD-WAN (internet, MPLS) 
DNS proxy/nameserver 
SSL inspection 

HTTP proxy 


Anti-virus scanner 


Centralized Security Perimeter 


NOOO 0000000000000 


Internal load balancer 


Internal network firewall 


VPN concentrator 


Web application firewall 
DDoS protection 
Global load balancer 


DNS nameserver 
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Log Security 
storage analytics 
IP traffic 
DNS traffic 
HTTP traffic 
User context 
Device context 
App context 


Data context 


Global Network including L3-7 Anycast Routing and Traffic Acceleration 


In-browser terminal 
(SSH, VNC & more) 


RBI service 


Device client 


ZTNA service 
(w/ built-in CASB controls) 


via Cloudflare onramps 


The network is the computero 


ARIA SS, 


(clientless access, device client) 


WAN as a service 


(w/ built-in FW as a service) 


via Cloudflare onramps 


(IP tunnel, direct connection) 


Composable SWG service 
Recursive DNS service 
L4-7 forward proxy 


(with built-in CASB 
discovery & control) 


© 


App connector 


Composable app & network services 
I 


WAAP 


Authoritative DNS 
& BGP announcement 


(w/ built-in DDoS protection) 


Built-in & 
unified cloud 
log storage 
& security 
analytics for 
all services 


Private Resources 


Public Resources 


>, 


Private Resources 


Public Resources 


Connectivity and security elements are re-used when any user accesses any resource, which improves 


efficiency and experience. Also, our ZTNA service and WAN as a service spans elements that were 
traditionally managed in silos across IT, network, and security teams. 
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One platform for the simplest connectivity & security 


Centralized security perimeter vs. Cloudflare global network 


Managed Users Private Resources 


Centralized security perimeter 


Many solutions with point-to-point integrations 
Limited, multi-pass traffic inspection 


Limited, delayed threat intelligence 
Unmanaged Users Public Resources 


Before 


IT, network and security teams relied on many vendors’ solutions, each with a different architecture, 
such that point-to-point integrations led to connectivity and security gaps with limited performance. 


Managed Users Private Resources 


y A 


Cloudflare global network 


One platform with composable architecture 
Cloud-scale, single-pass traffic inspection 


Cloud-scale, real-time threat intelligence 


Unmanaged Users Public Resources 


After 

All teams leverage one platform with the same composable architecture to eliminate gaps and performance 
tradeoffs. Our entire platform runs everywhere and is built to fit your world, not the other way around. 

You can deploy any number of services, in any sequence, and it'll still work uniformly together. 
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Use Case 1: 
Secure Access for Web Applications 
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Legacy design - first glance 


This graphic represents a traditional method of From left to right, this scenario illustrates the life of 
providing remote access to web applications. Here, a session as a user logs in from a public location— 
a remote employee accesses corporate resources, a scenario that subsequent design graphics will 
specifically both a private (self-hosted) and public build upon. 


(cloud-based) web application. Note: This graphic only depicts the devices, appliances, 


We have included a few of the most common security and traffic flows involved in this specific network 
measures any reasonable organization would have in transaction and does not represent a comprehensive 
place, including an edge firewall, an internal firewall for snapshot of all technologies that would be present in 
segmentation, and a VPN. a legacy network architecture. 

ahs r, Or VPN Conc. 

T i! Om VPN Conc. 

Load 

balancer 


63 Internal DNS 


ae oN VPN el = dh Subnet 
i n | Edge Firewall Li Internal Firewall 117 
siii Split tunnel 


Remote | E 
Endpoint Web App 
an H Active Directory 
EJ Web App Identity Provider (IDP) 
Coffee Shop Malicious site Cloud Data Center / HQ 


Network/Security Action 


1 | A remote device connects to corporate resources via public Wifi 

2 | The remote device reaches corporate edge via VPN client, but split tunnels other traffic 
3 | VPN terminates at Edge Firewall or VPN Concentrator behind firewall 

4 | Firewall policy grants remote user access to subnet with private web application 


5 | User accesses web app via private IP/URL [5a] or Public URL [5b] after authenticating to IDP 
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Legacy design - security flaws 


This graphic adds another column to the table below highlighting security flaws issues that are 
associated with each specific step in this scenario and that leave an organization vulnerable. 


sens p Or VPN Conc. 
E H! O~ VPN Conc. 
Load 

balancer 


Ê, 
ag Internal DNS 


| | 


VPN Es => $ Subnet 
AAA AO Edge Firewall ii Internal Firewall [È 


[—— Split tunnel 5b 
Remote Ea | O 


Endpoint 


H Active Directory 


FS Web App Identity Provider (IDP) 


Coffee Shop Malicious site Cloud Data Center / HQ 


Network/Security Action Relevant Legacy Solution Legacy Design Flaw 


An unsecured device on public wi-fi is a target 


1 A remote device connects to corporate 
for bad actors 


resources via public Wifi Si WPAN Clen 


2 The remote endpoint reaches corporate edge 
via VPN client, but split tunnels other traffic 


VPN-specific security will not protect split- 


Corporate VPN Client united ae 


Load balancer Inbound FW/VPN Rules may expose ports/ 


Edge Firewall protocols to the internet, expanding potential 
VPN Concentrator attack surface 


3 VPN terminates at Edge Firewall or VPN 
Concentrator behind firewall 


4 Firewall policy grants remote user access to The user has access to resources outside their 


Internal Firewall 


subnet with private web application job function 
5 User accesses web app via private IP/URL [5a] | Active Directory If the endpoint is compromised, company app/ 
or Public URL [5b] after authenticating to IDP Internal DNS (Private) network is at risk 
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Legacy design - required security add-ons 


To address the design flaws highlighted in the previous Layering each security add-on adds complexity and 
page, the organization now needs to modify their existing ongoing management costs across likely multiple 
network architecture.This graphic adds another column vendors to the legacy environment. 


to the table below, detailing typical solutions to protect 
users and resources. 


& Load || p EZREN Conc: 69 Internal i, Subnet 
+ balancer : O~ VPN Conc. “ DNS 
lt, ' a 
Remote VPN i 
Endpoint jp TT TT TT T TIT TT TIT TI TIT TTTITiToTr Ri ii e& |_| ae Z sk fl! se App 
[2] Edge Web Internal 
Coffee Shop Firewall Proxy Firewall 
Split p | | SI 
E O a rt Active Directory 
Web peas IDS Identity Provider (IDP) 
App 
Malicious site 
Cloud Data Center / HQ 


Relevant Legacy a Required Security 
L D FI 
Solution Sp Add-on 


Network/Security Action 


A remote device connects to 
corporate resources via public Wifi 


An unsecured device on public wi-fi is | Endpoint Protection 


Consorcis VEN Gian a target for bad actors Platform (EPP) 


The remote device reaches corporate 
2 edge via VPN client, but split tunnels | Corporate VPN Client 
other traffic 


VPN-specific security will not protect 


split-tunneled traffic PIS! 


Load balancer Inbound FW/VPN Rules may expose 
Edge Firewall ports/protocols to the internet, 
VPN Concentrator expanding potential attack surface 


Intrusion Detection 


3 VPN terminates at Edge Firewall or 
System (IDS) 


VPN Concentrator behind firewall 


Firewall policy grants remote user 
SIL y 9 The user has access to resources 


4 access to subnet with private web Internal Firewall outside their job function Web Proxy 
application 
5 Ue eee Pub Uae ic Active Directory If the endpoint is compromised, Mobile Device Mgmt 
Internal DNS (Private) Company app/network is at risk (MDM) Server 


authenticating to IDP 
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Cloudflare One design 


This below graphic highlights how an organization can With Cloudflare One, the traffic between the remote user 
adopt a simpler, more efficient approach to secure and the organization’s resources runs along Cloudflare’s 
application access by implementing Cloudflare One. global network with single-pass inspection. All services 


shown below run in all of Cloudflare’s data centers, 


Here, much of the legacy network architecture shown : Rn ; 
located in 250+ cities in over 100 countries. 


beforehand is offloaded to Cloudflare, and many of the 
existing design flaws are corrected without the need for 
additional solutions. 


se. CLOUDFLARE Compromised site 


Coffee Shop Data Center / HQ 


69 1111 DNS resolver Spudas 


Ly 
Tunnel 


= 2 O E Web app 
(A) — ——> =} SWG policy i 
JE Identity provider 


Cloudflare, 
device client 


Browser isolation Mo 


4 
Zero Trust 


Cloud 


policy 
—— SAML ——— 
Connector E] Web app 


Network/Security Action Relevant Cloudflare One Element Design Flaw Correction 
; Local Secure Web Gateway client lets 
@ Cloudflare Device Client Cloudflare One filter DNS/HTTP/Network traffic 
1 A remote device connects to corporate = Secure Web Gateway policy to user’s device via gateway policy 


resources and the internet via Cloudflare } $ A 
Browser Isolation absorbs/isolates impact of 


Browser Isolation é 
successful malware attacks from websites 


Zero Trust policy performs device posture 
check before permitting access, mitigating risk 


i of compromised devices 
2 User undergoes IDP and device posture 9 Zero Trust policy p 


checks in Cloudflare Zero Trust policy authenticates user to the 
resource instead of the underlying network, 
preventing lateral movement 


Cloudflare Tunnel securely brokers a 
connection to the web application and 
eliminates the use of explicit FW rules 


Access [Private | Public] web app directly | ® Cloudflare Tunnel 
via [Cloudflare Tunnel | SAML Connector] &9 1.1.1.1 DNS resolver 
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Legacy design - required security add-ons 
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Legacy design - required security add-ons 


Relevant Legacy 


Network/Security Action 


Legacy Design Flaw 


Required Security 


Solution 


Add-on 


1 A remote device connects to An unsecured device on public wi-fi is | Endpoint Protection 


corporate resources via public Wifi Garpersie ICI 


The remote device reaches corporate 
2 edge via VPN client, but split tunnels | Corporate VPN Client 
other traffic 


Load balancer 
3 VPN terminates at Edge Firewall or 


VPN-specific security will not protect 
split-tunneled traffic 


Inbound FW/VPN Rules may expose 


a target for bad actors Platform (EPP) 


Disable Split Tunnel 


Intrusion Detection 


> : Edge Firewall ports/protocols to the internet, 
VPN Concentrator behind firewall Gua expanding potential attack surface System (IDS) 
Firewall policy grants remote user 
È 3 A The user has access to resources 
4 LI with private web Internal Firewall outside their job function Web Proxy 
5 Rae Active Directory If the endpoint is compromised, Mobile Device Mgmt 
authenticating to IDP Internal DNS (Private) | company app/network is at risk (MDM) Server 


Cloudflare One design 


Network/Security Action Relevant Cloudflare One Element 


© Cloudflare Device Client 
A remote device connects to corporate o 
resources and the internet via Cloudflare E Secure Web Gateway policy 


Browser Isolation 


2 User undergoes IDP and device posture 


checks in Cloudflare Y Zero Must policy 


Access [Private | Public] web app directly | ® Cloudflare Tunnel 
via [Cloudflare Tunnel | SAML Connector] &3 1.1.1.1 DNS resolver 


Design Flaw Correction 


Local Secure Web Gateway client lets 
Cloudflare One filter DNS/HTTP/Network traffic 
to user’s device via gateway policy 


Browser Isolation absorbs/isolates impact of 
successful malware attacks from websites 


Zero Trust policy performs device posture 
check before permitting access, mitigating risk 
of compromised devices 


Zero Trust policy authenticates user to the 
resource instead of the underlying network, 
preventing lateral movement 


Cloudflare Tunnel securely brokers a 
connection to the web application and 
eliminates the use of explicit FW rules 
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Use Case 2: 
DNS Filtering 
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Legacy design - first glance 


This graphic represents how organizations implement 
DNS filtering for onsite and remote employees in a 
legacy environment. 


Typically, DNS filtering for organizations is accomplished 
via built-in features of on-prem solutions like a firewall. 

Remote users send requests through this firewall by first 
backhauling traffic through a full-tunnel VPN. 


Office 


Employee 
Subnet 


Edge 
Firewall 


Remote user 


To resolve websites, the organization sends its DNS 
queries to a recursive DNS (like Google's 8.8.8.8). 


Note: Just as with other sections in this guide, 

this legacy environment does not represent every 
technology inside an office, but only the ones involved 
in this specific use case. 


Unacceptable site 
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Internet 


69 


Recursive 
DNS 
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Malicious site 


DNS-Related Event 


1 | An onsite user has their DNS requests content filtered for security by the built-in feature on the Edge Firewall 


2 | Aremote user has their DNS requests filtered after connecting to the organization’s full tunnel VPN 


3 | Outbound DNS requests are transmitted in the clear. 
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Legacy design - operational flaws 


This next graphic adds a column to the table below articulating the challenges associated with this 
traditional design. 


The most pressing challenge is that relying on local hardware to perform DNS filtering at-scale will 
eventually bottleneck performance for all users, especially when that hardware is responsible for 
other critical services as well (such as terminating the remote-user VPN). 


In addition, sending DNS queries without encryption (which occurs by default) creates a new attack 
vector with unknown risk. 
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DNS-Related Event Relevant Elements Design Flaw 
An onsite user has their DNS requests Relying on the Edge FW for too many essential 

1 | content filtered for security by the built-in | Edge Firewall operations can degrade performance across the 
feature on the Edge Firewall organization 


A full-tunnel VPN creates a ‘double tax’ 


A i has "i o VPN Concentrator of internet packets, which can create a 
iltered after connecting to the i ' : 
organization’s full tunnel VPN Edge Firewall performance bottleneck for the entire 


organization tunneled traffic 


DNS over UDP port 53 is unencrypted and 
UDP53 therefore not private. Anyone who sees that can 
recon user web behavior 


3 Outbound DNS requests are transmitted 
in the clear. 
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Legacy design - required network modifications 


To address the design flaws highlighted in the previous 
page, the organization now needs to modify their existing 
network architecture. This graphic adds another column 
to the table below, highlighting common solutions with 


Organizations that attempt to scale this approach 
themselves often encounter considerable growing 
pains, and in fact, many organizations avoid DNS 
filtering entirely because of these operational 


their own drawbacks. concerns. 

Here, buying new hardware to handle more users or 

increase bandwidth consumption will lead to higher 

capital and operational expenses over time. 
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Unacceptable site 

Employee 
Subnet Î 


Internet 
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Firewall El of 
Recursive 
DNS 


Malicious site 


Remote user 


DNS-Related Event Relevant Elements Design Flaw 
An onsite user has their DNS 
requests content filtered for 
security by the built-in feature 


on the Edge Firewall 


Relying on the Edge FW for too many 
essential operations can degrade 
performance across the organization 


Edge Firewall Discrete DNS Filter 


A full-tunnel VPN creates a ‘double tax’ 
of internet packets, which can create a 


A remote user has their 


> | DNS requests filtered after VPN Concentrator 


Hardware upgrade 


connecting to the organization’s Edge Firewall performance bottleneck for the entire 
full tunnel VPN organization tunneled traffic Enable Split Tunnel* 
DNS over UDP port 53 is unencrypted 
3 Outbound DNS requests are UDP53 and therefore not private. Anyone who DNS over TLS/HTTPS 


transmitted in the clear. sees that can recon user web behavior 


Non-Cloudfare Solution 


Increase ISP bandwidth 
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Cloudflare One design 


Organizations that adopt Cloudflare One point their traffic to Cloudflare’s global network and 
can perform DNS filtering for the entire workforce without worrying about the operational limits 
of their local hardware. 


Cloudflare’s DNS filtered is easy to deploy for both on-prem and remote users: 
e Traffic from office users is sent to Cloudflare based on the outbound IP from the edge firewall 


e Traffic from remote users is sent to Cloudflare from our device client 


In addition, Cloudflare’s 1.1.1.1 DNS resolver supports DNS over TLS/HTTPs, which resolves the 
security issue detailed in the legacy environment. 
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Remote user Malicious site 


DNS-Related Event Relevant Cloudflare One Element Design Flaw Correction 


Both onsite and remote 
1 users have their DNS 
requests content filtered by 


Gateway DNS policies offloads DNS filtering from local 


Er Secure Web Gateway hardware (or provides it for the first time) 


Cloudflare 

The organization’s DNS Cloudflare’s 1.1.1.1 DNS resolver supports DNS over TLS/ 
2 | requests are encrypted 69 1.1.1.1DNS resolver HTTPs, encrypting DNS requests and hindering hostile 

before being sent out. reconnaissance 
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Legacy design 


DNS-Related Event Relevant Elements Design Flaw Non-Cloudfare Solution 


An onsite user has their DNS 


requests content filtered for A ee PW for ieo meny 


1 ; Pegi: Edge Firewall essential operations can degrade Discrete DNS Filter 
security by the built-in feature Supe 
on the Edge Firewall performance across the organization 
A remote user has their A full-tunnel VPN creates a ‘double tax’ | Increase ISP bandwidth 
DNS requests filtered after VPN Concentrator of internet packets, which can create a 

2 . i - Hardware upgrade 
connecting to the organization’s Edge Firewall performance bottleneck for the entire 
full tunnel VPN organization tunneled traffic Enable Split Tunnel* 

DNS over UDP port 53 is unencrypted 
3 Qutbound DNS reguestsare UDP53 and therefore not private. Anyone who DNS over TLS/HTTPS 


transmitted in the clear. sees that can recon user web behavior 


Cloudflare One design 


DNS-Related Event Relevant Cloudflare One Element Design Flaw Correction 


Both onsite and remote 


users have their DNS Gateway DNS policies offloads DNS filtering from local 


b requests content filtered by A eee eee hardware (or provides it for the first time) 
Cloudflare 
The organization’s DNS Cloudflare’s 1.1.1.1 DNS resolver supports DNS over TLS/ 
2 | requests are encrypted & 1.1.1.1 DNS resolver HTTPs, encrypting DNS requests and hindering hostile 
before being sent out. reconnaissance 
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